To forge an effective security policy, forget the firewall

According to a report published by research house IDC earlier this year, the Internet security market is exploding. Driven by ecommerce and rising internal threats, it is predicted to grow from the $3.1bn in 1998 to $7.4bn in 2002. And it will be firewalls that grow at the most rapid rate.

But is it safe to rely on a firewall?

According to Malcolm Skinner, product marketing manager at security company, Axent, there are plenty of other variables to worry about. "Security is about policy not technology. You've got to plan the infrastructure right. People who trust solely in firewalls have a false sense of security.

"Behind the firewall you've got to have intrusion detection systems so you can monitor external and internal users. If you haven't got a policy in place, one bit of technology isn't going to help you," Skinner said. "Until now people bought security as a reaction to breaches, now they're being to think about it strategically."

Dominic Storey, director of technology EMEA at RSA Security, agreed. Passwords "just aren't safe", he claimed, and the only way to be sure of security is to positively identify and monitor any traffic on your network.

Even after spending a lot of money on technology, a firewall can easily be installed wrong. Bob Walder, consultant at The NSS Group, said: "It needs a dedicated, clean server. The installation is very important - you can't just put it onto a server that already carries viruses. It won't sort out existing problems."

Walder continued: "[Security] is also about door locks, reception passes and how you dispose of old documents. Your policy has got to go right from the grassroots all the way up."

Jan Guldentops, director of consultancy, Better Access Networking, claimed part of the problem is that vendors have made firewalls too easy to install, encouraging unqualified people to make an attempt.

The only way to be confident in your firewall, he said, is to install two completely different systems on two completely different operating systems and two completely different servers. Then if something undesirable gets through one system undetected, the other will probably stop it.

Now there is a push for security issues to become integrated into the industry at every level. According to Axent's Skinner, application developers largely ignore the problems. "That's why there are security developers like us to bolt on security features," he said.

RSA's Storey agreed: "Security features need to be built into development languages, into the object-orientated framework. Then you are building security into the environment."

But Storey claimed that the security market is making progress and the approach is being redefined. "You have to look at security on the application level as well as the server level," he asserted. "You simply can't afford to trust everyone who has got past the firewall."